topic Re: Finding Bandwidth consuming for particular Host in Enterprise Appliances and Gaia OShttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72597#M5529
<P>Dear&nbsp;mdjmcnally,</P><P>But Top Connections are not always proportional to the Bandwidth.</P><P>Hence with CPView will be tough to get required info.</P><P>I hope any of CheckMates who faced this query from customer can give suggestions.</P><P>&nbsp;</P><P>Regards, Prabulingam.N</P>Sat, 18 Jan 2020 11:53:58 GMTPrabulingam_N12020-01-18T11:53:58ZFinding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72421#M5516
<P>Dear All,</P><P>&nbsp;</P><P>Just wanted to check if any workaround to check the Bandwidth consumed/consuming for particular host machine.</P><P>Customer's Internet Bandwidth was choked due to "few hosts to some destination IP" consuming high.</P><P>From SmartMonitor we can see only Source or Destination which is consuming.</P><P>But we need to check for the "Which Source against Which Destination" more bandwidth consumed/consuming.</P><P>&nbsp;</P><P>Just like in Cisco command: --ip flow top-talkers</P><P>CISCO-ASA#sh ip flow top-talkers</P><P>SrcIf&nbsp; &nbsp; &nbsp;SrcIPaddress&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;DstIf&nbsp; &nbsp; &nbsp; &nbsp; DstIPaddress&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Pr&nbsp; &nbsp; &nbsp; &nbsp;SrcP&nbsp; &nbsp; &nbsp; DstP&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Bytes<BR />Gi0/1&nbsp; &nbsp; 172.215.114.126&nbsp; &nbsp; Gi0/0&nbsp; &nbsp; &nbsp; 202.100.109.236&nbsp; &nbsp; &nbsp;06&nbsp; &nbsp; &nbsp; &nbsp;0050&nbsp; &nbsp; &nbsp; BBEB&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;19M<BR />Gi0/1&nbsp; &nbsp; 123.175.213.143&nbsp; &nbsp; Gi0/0&nbsp; &nbsp; &nbsp; 202.100.109.236&nbsp; &nbsp; &nbsp;06&nbsp; &nbsp; &nbsp; &nbsp;0050&nbsp; &nbsp; &nbsp; 3891&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;16M</P><P>In above we could see 2 Sources against 2 Destinations with "Bytes" consumed.</P><P>By any chance can we see something like this in CheckPoint??</P><P>&nbsp;</P><P>Regards, Prabulingam.N</P>Thu, 16 Jan 2020 12:09:07 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72421#M5516Prabulingam_N12020-01-16T12:09:07ZRe: Finding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72427#M5517
<P>Use CPView on the Gateway</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk101878&amp;partition=General&amp;product=Security" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk101878&amp;partition=General&amp;product=Security</A></P><P>Can pull details such as Top Connections which will show by Bandwidth the largest connections.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P>Thu, 16 Jan 2020 12:39:08 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72427#M5517mdjmcnally2020-01-16T12:39:08ZRe: Finding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72597#M5529
<P>Dear&nbsp;mdjmcnally,</P><P>But Top Connections are not always proportional to the Bandwidth.</P><P>Hence with CPView will be tough to get required info.</P><P>I hope any of CheckMates who faced this query from customer can give suggestions.</P><P>&nbsp;</P><P>Regards, Prabulingam.N</P>Sat, 18 Jan 2020 11:53:58 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72597#M5529Prabulingam_N12020-01-18T11:53:58ZRe: Finding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72631#M5538
<P>Hello,</P><P>I would highly recommend Craig Dods' Top Talkers script that can be found here:</P><P><A href="http://expert-mode.blogspot.com/2013/05/checkpoint-top-talkers-script-display.html" target="_blank">http://expert-mode.blogspot.com/2013/05/checkpoint-top-talkers-script-display.html</A></P><P>It should achieve what you are looking for but do let us know if that is not the case.</P><P>I hope this helps.</P>Sun, 19 Jan 2020 12:08:59 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72631#M5538Nick_Doropoulos2020-01-19T12:08:59ZRe: Finding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72648#M5539
<P>Hi&nbsp;<LI-USER uid="7881"></LI-USER>&nbsp;</P>
<P>In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.&nbsp; When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows).</P>
<P>All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type.<SPAN>&nbsp;</SPAN><BR /><BR />What typically produces heavy connections:</P>
<UL>
<LI>System backups</LI>
<LI>Database backups</LI>
<LI>VMWare sync.</LI>
</UL>
<P>Evaluation of heavy connections (epehant flows)<BR /><BR />A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a<SPAN>&nbsp;</SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk105762&amp;partition=General&amp;product=Security" target="_self" rel="nofollow noopener noreferrer">SK105762</A><SPAN>&nbsp;</SPAN>to activate "Firewall Priority Queues".&nbsp; This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes.</P>
<P>Heavy connection flow system definition on Check Point gateways:</P>
<UL>
<LI>Specific instance CPU is over 60%</LI>
<LI>Suspected connection lasts more than 10s</LI>
<LI>Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be &gt; 30% &nbsp;</LI>
</UL>
<P>Enable the monitoring of heavy connections.</P>
<P>To enable the monitoring of heavy connections that consume high CPU resources:</P>
<P><STRONG>#<SPAN>&nbsp;</SPAN></STRONG><STRONG>fw ctl multik prioq 1</STRONG></P>
<P><STRONG>#</STRONG><STRONG><SPAN>&nbsp;</SPAN>reboot</STRONG></P>
<P>Found heavy connection on the gateway with „print_heavy connections“</P>
<P>On the system itself, heavy connection data is accessible using the command:<SPAN>&nbsp;</SPAN><BR /><BR />#<SPAN>&nbsp;</SPAN><STRONG>fw ctl multik print_heavy_conn</STRONG></P>
<P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pq5.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/4036i43BE2E66019807DE/image-size/large?v=1.0&amp;px=999" title="pq5.jpg" alt="pq5.jpg" /></span></STRONG></P>
<P>ound heavy connection on the gateway with cpview</P>
<P><EM>#<SPAN>&nbsp;</SPAN></EM><STRONG>cpview</STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CPU &gt; Top-Connection &gt; InstancesX</P>
<P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pq3.png" style="width: 608px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/4037iEFD7188117295E46/image-size/large?v=1.0&amp;px=999" title="pq3.png" alt="pq3.png" /></span></STRONG></P>
<P>More read here:</P>
<P><STRONG><A href="https://community.checkpoint.com/t5/General-Topics/R80-x-Performance-Tuning-Tip-Elephant-Flows-Heavy-Connections/m-p/69105/highlight/true#M14059" target="_self">R80.x - Performance Tuning Tip - Elephant Flows (Heavy Connections)</A></STRONG></P>Sun, 19 Jan 2020 21:42:08 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72648#M5539HeikoAnkenbrand2020-01-19T21:42:08ZRe: Finding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72662#M5543
We have a presentation at CPX about Elephant Flows in the CheckMates track.<BR />We'll post it after the Vienna event <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>Mon, 20 Jan 2020 04:50:53 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72662#M5543PhoneBoy2020-01-20T04:50:53ZRe: Finding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72664#M5544
<P>Hello Nick.</P><P>&nbsp;</P><P>Thanks for this script. Let me try and find if any we can see regarding the Bandwidth.</P><P>&nbsp;</P><P>Regards, Prabulingam.N</P>Mon, 20 Jan 2020 04:56:03 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72664#M5544Prabulingam_N12020-01-20T04:56:03ZRe: Finding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72665#M5545
<P>Hello Heiko,</P><P>&nbsp;</P><P>Thanks much for detailed information and I will try this.</P><P>But still this also lists in form of CPU% &amp; Connections only, no info related to "how much Bytes consumed".</P><P>&nbsp;</P><P>I will also try Nick's script as well.</P><P>&nbsp;</P><P>Regards, Prabulingam.N</P>Mon, 20 Jan 2020 04:58:16 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72665#M5545Prabulingam_N12020-01-20T04:58:16ZRe: Finding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72666#M5546
<P>Great then , I will await for that..</P><P>&nbsp;</P><P>Regards, Prabulingam.N</P>Mon, 20 Jan 2020 04:59:05 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72666#M5546Prabulingam_N12020-01-20T04:59:05ZRe: Finding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72680#M5549
<P><SPAN>Top connections by throughput (Network -&gt; Top-Connections)</SPAN></P><P>This isn't done by CPU consumed but by Throughput.</P><P>Don't confuse with&nbsp;</P><P><SPAN>Top connections by CPU (I/S -&gt; CPU -&gt; Top-Connections)</SPAN></P><P><SPAN>Which will show by CPU</SPAN></P>Mon, 20 Jan 2020 07:51:48 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72680#M5549mdjmcnally2020-01-20T07:51:48ZRe: Finding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72875#M5562
<P>Is there an SK or something that we could use now instead of waiting for a CPX event?</P>Tue, 21 Jan 2020 16:17:26 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72875#M5562C_M2020-01-21T16:17:26ZRe: Finding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72877#M5564
<P>So the "accepted solution" is only per cpu, right? seems like there should be a way to see the top connections/talkers overall, rather than per cpu.</P>Tue, 21 Jan 2020 16:20:06 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72877#M5564C_M2020-01-21T16:20:06ZRe: Finding Bandwidth consuming for particular Hosthttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72918#M5568
If you want bytes consumed, once you've figured out what connection it is, you can always go look in SmartView (logs) and see this information.<BR />That assumes it's either matching on an App Control rule or you've explicitly enabled Accounting on that rule.Tue, 21 Jan 2020 21:21:54 GMThttps://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Finding-Bandwidth-consuming-for-particular-Host/m-p/72918#M5568PhoneBoy2020-01-21T21:21:54Z